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Abstract. This paper presents a mathematical foundation and a rewrit- 
ing logic infrastructure for the execution and property verification of 
synchronous set relations. The mathematical foundation is given in the 
language of abstract set relations. The infrastructure consists of an order- 
sorted rewrite theory in Maude, a rewriting logic system, that enables 
the synchronous execution of a set relation provided by the user. By us- 
ing the infrastructure, existing algorithm verification techniques already 
available in Maude for traditional asynchronous rewriting, such as reach- 
ability analysis and model checking, are automatically available to syn- 
chronous set rewriting. The use of the infrastructure is illustrated with 
an executable operational semantics of a simple synchronous language 
and the verification of temporal properties of a synchronous system. 


1 Introduction 

Synchronous set relations provide a natural model for describing the operational 
semantics of synchronous languages. Previous work by the authors [11] gives a 
serialization procedure for simulating the execution of synchronous set relations 
by asynchronous term rewriting. The synchronous execution of a set relation 
is a parallel reduction, where the terms to be reduced in parallel are selected 
according to some strategy. The serialization procedure has been used to pro- 
vide the rewriting logic semantics of the Plan Execution Interchange Language 
(PLEXIL) [5], a synchronous plan execution language developed by NASA to 
support spacecraft automation [6]. 

Despite being generic, the serialization procedure proposed in [11] has to be 
coded by the user for each synchronous language. This paper extends that work 
in two ways. First, it generalizes the theoretical development of synchronous 
set relations by extending the notion of strategy to enable a larger set of syn- 
chronous transformations. Second, it introduces an infrastructure in Maude [4], 
a high-performance reflective language and system supporting asynchronous set 
rewriting, that implements on-the-fly a serialization procedure for a synchronous 
language provided by the user. These contributions allow for simpler and more 
succinct language specifications, and more general synchronous set relations. 

Formally, a synchronous set relation is defined as the synchronous closure of 
an atomic relation with a given strategy. Two sets are synchronously related if 



the first set can be transformed into the second set by parallel atomic transfor- 
mations. The selection of the redexes in the source set is done by the strategy. 
Strategies can be defined using priorities, which solve conflicts arising from the 
overlapping of atomic transitions. Section 2 presents, in an abstract setting, 
definitions of synchronous set relations, strategies, and priorities. 

The infrastructure presented in this paper uses the reflection capabilities of 
Maude’s rewriting logic, which is succinctly described in Section 3.1. Maude sup- 
ports set rewriting, i.e., rewriting modulo axioms such as associativity, commu- 
tativity, and identity. These features are well-suited for object-based concurrent 
systems. The infrastructure consists of a rewrite theory in Maude, defining a set 
of generic sorts and terms, the algebraic properties of the datatypes, and a set of 
functions and rewrite rules that support the synchronous execution of an atomic 
set relation. The infrastructure is described in sections 3.2 and 3.3. 

As a direct advantage of using this infrastructure, all commands in Maude for 
rewrite theories such as its rewrite and search commands, and formal verification 
tools such as Maude’s LTL Model Checker, are available for analyzing properties 
of synchronous set relations. Section 4 illustrates the use of the infrastructure by 
giving an executable semantics of a simple synchronous language with arithmetic 
expressions. Section 5 illustrates the use of Maude’s LTL Model Checker for the 
verification of temporal properties of a synchronous set relation. 

The infrastructure in Maude and the examples presented in this paper are 
available from http://sh.emesh.larc.nasa.gov/people/cELm/PLEXIL. 


2 Abstract Synchronous Set Relations 

This section introduces the concepts of abstract set relations used in this paper. 

Let U be a set whose elements are denoted A, B,. . . and let — > be a binary 
relation on U. An element A G U is called a —>-redex if there exists B £ U such 
that the pair ( A\B ) £ — k The expressions A — > B and A ■/* B denote (A ; B) G— > 
and {A ; B) », respectively. The identity relation and reflexive-transitive closure 
of — > are defined as usual and denoted — and — >*, respectively. 

Henceforth, it is assumed that IA is the family of all nonempty finite sets over 
an abstract and possibly infinite set T, i.e., U C p(T) and 0 ^ U, and, therefore, 
— > is a binary relation on finite sets of T. The elements of T will be denoted 
by lowercase letters a, b, ... . When it is clear from the context, curly brackets 
are omitted from set notation, e.g., a,b — > b denotes {a, 6} — > {b}. Because of 
this abuse of notation, the symbol y is overloaded to denote set union, e.g., if 
A denotes the set {a, 6}, B denotes the set {c, d}, and D denotes the set {d, e}, 
notation A, B — > B, D denotes {a, b, c, d} — > {c, d, e}. 

The parallel relation — of — > is the relation defined as the parallel closure 
of — >, i.e., the set of pairs {A ; B) m.Uy.U such that A — B if and only if there 
exist Ai,..., A n , (nonempty) pairwise disjoint subsets of A, and sets B t , . . . . B n 
such that A,, —> B t and B = (A\ Ul<j<n A) U Ul<j<n -®i- 

This paper focuses on synchronous set relations. The synchronous relation 
of an abstract set relation — > is defined as a subset of the parallel closure of 
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— >, where a given strategy selects elements from — >. Formally, a — strategy is 
a function s that maps an element A £ U into a set s(A) C p(— >) such that if 
{{A\ ; Bf), . . . , (A„ ; f?„)} € s(A), then A, ; C A and Aj — > L?j, for 1 < * < n, and 
Ai, . . . , A„ are pairwise disjoint. 

Definition 1 (Synchronous Relation). Let s be a — strategy . The relation 
— denotes the set of pairs (A - B) in U xU such that A — > s B if and only if 
B = (-4 \ Ui<j< n Ai) u Ui<i<„ s n. w/iere {(Ai ;Ri),. ..,(A„;B„)} <E s(A). 

Example 1. Let T be the set of distinct elements a,b,c,d,e, and the relation 
— ►= {ri,r 2 ,r 3 }, where r i = (. a,b;b,d ), r 2 = (c;d), and r 3 = (a,c;e). Let Si, s 2 , 
and s 3 be -^-strategies defined for A = {a, b, c, d} as follows. 

s i(^) = {{ r 2 >,{r 3 }}, s 2 (A) = {{n,r 2 }}, s 3 (A) = {{n,r 2 },{r 3 }}. 

It holds that: 

a,b,c,d —> Sl a,b,d, a, 6, c, d — > Sl 6, d, e, a.b^c^ —^ S2 b.d, 

a, 6, c, d — A 3 b , d, a, 6, c, d — > S3 6, d, e. 

Some strategies relevant to the operational semantics of synchronous lan- 
guages are those strategies defined based on a priority. A priority -< for a rela- 
tion — > is a ^-indexed set -<; = {<a}a&a with each a strict partial order on 
— > fl(p(A) x U). Priorities can be used to decide between overlapping redexes. 

Definition 2 (Saturation). A set {(Ai; Bf ), . . . , (A„; B n )}C — > is -^-saturated 
for A G U (or ^^-saturated), with -< be a priority for — >, i/ and onfr/ if 

1. the sets Ai, . . . , A„ are nonempty pairwise disjoint subsets of A, 

2. each (A, ; LL) is swc/i that for any A! — > S' with A'CA and A' ft A; X 0, 
(Ai-Bi) -fi A (A' \B'), and 

3. if there is A! — > B' with (A 1 ; £?') ^ {(Ai ; f?i), . . . , (A„ ; !?„)} and A' C A, 
f/ien either 

(i) there is (Aj ; Lf,}, /or some 1 < j < n, such that Aj n A! ^ 0 or 

(ii) there is A" — * f?" with A" C A, A"nA' 0, and (A' ; B ') -<a (A" ; B"). 

A -^-saturated set is a complete collection of non-overlapping redexes in a term 
A £ U, where any overlapping is resolved by keeping ^-maximal redexes. Note 
that the -<-maximality tests in conditions (2) and (3) of Definition 2, are given 
with respect to all pairs (A' ; B ') in -<a, and hence -^-saturation exclusively 
depends on the ordering of the finitely many subsets of — > fl(p(A) x IX). 

Example 2. Recall the relation — >= {ri,r 2 ,r 3 } and the set A = {a, b, c, d} from 
Example 1. Let be such that r\ r 3 . It holds that the sets {r 2 } and 
{r 3 } are -/^-saturated. However, the set {r l5 r 2 } is not -^-saturated because 
r 3 falsifies condition (2) in Definition 2 with witness r 3 . Let be such that 
r 3 n. In this case, the only -^-saturated set is {ri,r 2 }. The set {r 3 } is not 
-^-saturated because r 3 falsifies condition (2) in Definition 2 with witness ri. 
For -<\= 0, the sets {ri,r 2 } and {r 3 } are the only -^-saturated sets. 
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A maximal strategy defines the most general synchronous behavior of a re- 
lation, which is given by all saturated sets. 

Definition 3 (Maximal Strategies). Let -< be a priority for — > . A — strategy 
s is ^-maximal for AgU (or -^-maximal) if and only if s(A) is the collection of 
all -<A~saturated sets. A — strategy is -<-maximal if and only if it is -<A-maximal 
for all A GU. 

Example 3. From examples 1 and 2, — ^-strategies si, S 2 , and S3 are, respectively, 
-^-maximal, -^-maximal, and -^-maximal. 

Algorithm 1 witnesses the existence of maximal strategies, which are unique 
for a given relation — > and a priority -< (for — >). 

Theorem 1. Let -< be a priority for — >. Then a -<-maximal — strategy exists. 
Therefore, from Definition 3, the -<-maximal — strategy is unique. 

Proof. It is proved that the existence of a ^-maximal — ^-strategy is witnessed 
by Algorithm 1, for any A G U and priority -< for — First, the following are 
important and easy to prove remarks about Algorithm 1: 

— all three loops (lines 3, 6, and 12) repeat finitely many times and all quan- 
tified conditions (lines 7 and 4) require finitely many comparisons because 
A G U has finitely many elements; also the complexity of 7 decreases with 
each iteration of the third loop, i.e. , Algorithm 1 terminates, 

— a = — > n(p(A) x U) is finite and can be computed effectively, 

— (3 = a\{(A'-,B') G a | (3(A" ; B")Ga)A'C\A" ^ 0A(A' ; B') ~< A (A " ; B")}, 
i.e., (3 is the subset of a in which all conflicting pairs in a that are not 
maximal elements in -<a have been omitted, 

— cr C p(/3) is the collection of largest non-conflicting subsets of (3 , and 

— if C G cr, then for any nonempty C' C (/? \ C), C U C' ^ a. 

Let D = {(Ai ; Bi ), . . . , (A n ; B n )}. It is enough to prove, for A G U and priority 
-< for that D is 7 ,4 -saturated if and only if D G cr. 

(=>) If D is ^4-saturated, then D C a follows by definition. If D % (3, then 
there is (A,; ; Bf) G D satisfying (Aj ; Bf) -<a (A 1 ; B') for some (A' ; B ') G 
a with A' fl A,; ^ 0. But then, for D, (A, ; Bf) violates condition (2) in 
Definition 2, a contradiction. Hence D C (3. If D ^ a, since D C (3 and the 
Ai, . . . ,A n are pairwise disjoint by assumption, either there is a nonempty 
set D' C (3 \ D such that D U D' G cr or there is nonempty set D" C D 
such that D" G cr. If D U D' G cr and since D' is nonempty, any pair 
(A' ; B ') G D' violates condition (3.ii) in Definition 2, contradicting the -<a~ 
maximality of D. If D" G a , then for any pair (A" ; B ") G D \ D" the set 
C = D" U {(A" ; B ")} falsifies the test in line 14 of Algorithm 1 and hence 
C G cr. Since D" G cr and D" C C G cr, this contradicts the last remark 
aforementioned. Therefore, as desired, D G cr. 
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Algorithm 1: The ^-maximal — ^-strategy. 


(<=) If D G er C p(a), then Ai,. . . , A n are pairwise disjoint — >-redexes, thus 
subsets, of A. Thus, condition (1) in Definition 2 is satisfied. For condi- 
tion (2), since D G cr, it follows that D C (3. Hence, any (A, ; Bj) € D satisfies 
condition (2) in Definition 2. For condition (3), assume there is ( A ' ; B ') G a 
with ( A ' ; B ') D. Then, either (A' ; B ') G (/ 3 \ D ) or ( A ' ; B ') G (a \ (3). If 
{A ' ; B ') G {(3 \ D ), then D U {{A 1 ; B ')} ^ er, as previously stated. However, 
{A ' ; B ') G (3, so it must be the case that A! fl Ai ^ 0 for some 1 < i < n. 
If (A; B ') G (a \ (3), then (A' ; B ') ^ (A" ; B") for some (A" ; B") G a. In 
either case, D satisfies condition (3) in Definition 2. Thus, D is ^A-saturated. 

□ 

The definitions of strategy and maximal strategy used in this paper are more 
general than those in [11, j>2]. In that paper, the only possible nondeterminism 
in — A arises from — In the formalization presented in this paper, as illustrated 
by strategies si and S 3 , the synchronous relation — > s can be nondeterministic 
even when the relation — > is deterministic. 

3 Synchronous Set Relations in Rewriting Logic 

This section presents the infrastructure for specifying and executing in Maude 
a synchronous relation defined from a language C. 
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3.1 A Brief Overview of Rewriting Logic 

An order-sorted signature [2] is a triple 27 = ( S,<,F ), where (S,<) is a finite 
poset of sorts and F is a finite set of function symbols. Set X = {A s } s6 g is 
an S'-sorted family of disjoint sets of variables with each X s countably infinite. 
The set of terms of sort s is denoted by Tz(X) s and the set of ground terms of 
sort s is denoted by It is assumed that for each sort s, Ts, a is nonempty. 

Algebras T S (X) and T s denote the respective term algebras. The set of variables 
of a term t is written varsft) and is extended to sets of terms in the natural way. 
A term t is called ground if vars(t) = 0. A substitution 9 is a sorted map from 
a finite subset dom(9)CX to ran(9) C Ts(X) and extends homomorphically in 
the natural way. Substitution 9 is called ground if ran(O) is ground. Expression 
t9 denotes the application of 6 to term t,. 

A 27 -equation is a sentence t = u if cond, where t = u is a E- equality with 
t,u £ Tz(X) s , for some sort s £ S, and the condition cond is a finite conjunction 
of 27-equalities. An equational theory is a pair (E, E) with order-sorted signature 
E and finite set of 27-equations E. For a 27-equation ip, the judgement (27, E) b (p 
states that (p can be derived from (27, E) by the deduction rules in [8]. In this 
case, it holds that is valid in all models of (27, E). An equational theory (27, E) 
induces the congruence relation = E on Tz(X) defined for any t,u £ T E (X) by 
t =e u if and only if (27, E) b (V2f) t = u. The 27-algebras T S / E (X) and T s / E 
denote the quotient algebras induced by = E over the algebras Tz(X) and T E - 
The algebra T s /e is called the initial algebra of (27, E). 

A E-rule is a sentence b : t => u if cond , where b is its name , t => u is a 
E-sequent with t,u £ Tz(X) s , for some sort s £ S, and the condition cond is a 
finite conjunction of 27-equations. A rewrite theory is a tuple 1Z = (27, E, R) with 
equational theory £n = (27, E) and a finite set of 27-rules R. For 1Z = (27, E, R) 
and b a 27-rule, the judgement 1Z b b states that b can be derived from 7 Z by the 
deduction rules in [2]. In this case, it holds that b is valid in all models of 1Z. 
For b a 27-equation, it can be proved that 7Z b b if and only if S-ji b b. A rewrite 
theory 1Z = ( 27,77,7? ) induces the rewrite relation =>7^. on T S / E (X) defined for 
every t,u € T E (X) by [t] E [u]b if and only if there is a one-step rewrite 
proof 1Z b (VA) t => u. Relations and respectively denote a one-step 
rewrite and an arbitrary length (but finite) rewrite in 7 Z from t to u. Model 
T-ji = (Te/e,^ti) is the initial reachability model of 1Z = (27,77,7?) [2]. 

The following conditions on a rewrite theory 1Z = (27, 77, 7?) make rewriting 
with equations 77 and with rules 7? modulo 77 computable, and are assumed 
throughout this paper. First the set of equations 77 of 1Z can be decomposed 
into a disjoint union 77' l±l A, with A a collection of axioms (such as associativ- 
ity, and/or commutativity, and/or identity) for which there exists a matching 
algorithm modulo A producing a finite number of A-matching substitutions, or 
failing otherwise. The second condition is that the equations E' can be oriented 
into a set of ground sort-decreasing , ground confluent , and ground terminating 
rules 77' modulo A. The expression [cai\ s ^ E ' / a{1)\a £ Tz/a,s will denote the 
77' -canonical form of [t\A- The rules 7? in 1Z are assumed to be ground coherent 
relative to the equations 77' modulo A [14]. 
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3.2 The Synchronous Language C 

Recall that definitions in Section 2 are given for an abstract set T, an abstract 
relation — and an abstract priority relation The language C is given by 
the user as an order-sorted rewrite theory (Ec, Ec, Rc) that enables the defi- 
nition of concrete mathematical objects Ts Ct Eiem, ~>c, and <c that implement 
T, — respectively. The rewrite theory (Ec, Ec, Rc) extends the rewrite the- 
ory ( E,E,R ), which provides an infrastructure with definitions of basic sorts 
and data structures that are suitable for specifying set rewriting systems. This 
rewrite theory exploits rewriting logic’s reflection capabilities available in Maude 
to soundly and completely simulate the synchronous relation — >£, where s is the 
^-maximal strategy for —*c- 

The Set T Sc ,Eiem- The set of ground terms T Sct Eiem of the rewrite theory 
(Ec, Ec, Rc) implements the abstract set T of Section 2. The sort Elem rep- 
resents elements in E having the form (m | ai : e\, . . . ,a n : e n ), where m is an 
identifier of sort Eid and oi : ei, ... ,a n : e n is a map of sort Map. A map is a 
collection of attributes. An attribute is a pair a : e where a is an attribute identi- 
fier of sort Aid and e is an expression of sort Expr. Attributes are a flexible way 
of defining the internal state of an element. Sorts Aid and Eid are declared as 
subsorts of Expr. The set U of Section 2 corresponds to the set of ground terms 
Te c , ctx, where the sort Ctx represents sets of elements of sort Elem. A context is 
an element of sort Ctx. The sort Val is defined in A as a subsort of Expr and rep- 
resents built-in values such as Boolean and numerical values. Function symbol 
eval : Ctx x Expr — > Val is defined in E without any equational definition. 

The user is free to extend the signature E in Ec with any syntax and sub- 
sorts for element identifiers, attribute identifiers, and expressions. However, it is 
assumed that attribute identifiers within a map and element identifiers within 
a context are unique. It is also assumed that the theory (Ec,Ec) includes a 
complete equational interpretation of eval for the set of expressions in Ec- 

The Relation — >c- The synchronous relation in Definition 1 is given for an 
abstract atomic relation — In a concrete language, such as C, this relation 
represents atomic computational steps that are synchronously executed. For that 
reason, the concrete relation — >£ is called the atomic relation. As shown in [11], 
the atomic relation is usually parametric with respect to a context that, in this 
infrastructure, provides global information to the function eval. Henceforth, the 

P 

atomic relation with respect to a context T of sort Ctx will be denoted — >£. 

The atomic relation — >£ is specified in Rc through atomic rules. 

Definition 4 (Atomic Rules). Let Ec be an order-sorted signature extending 
E. An atomic F^-rule is a Ec-rule b : l => r if cond such that: 

— ride name b has the form c^n, where c, the component of b, is an identifier, 
and n, the rank of b, is a natural number; 

— I does not contain attribute identifier variables, i.e., vars(l) fl Xau = 0/ and 
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— attribute names appearing in an element term in r are named for that same 
element term in l, i.e., if (i \ m!) £ r and (a : e') € m! , then there is 
(i | to) £ l such that ( a:e ) € m for some e £ Te c (X)E xpr . 

An atomic Ac-rule specifies transitions of contexts (possibly) constrained by a 
condition that may involve expressions in the syntax of C. The component and 
rank of Ac-rules are used to define the priority relation -<c- The restriction 
on attribute identifier names and variables is to prevent the user from defining 
an atomic relation — ■>£ for which computing a — ^-reduction could be highly 
inefficient or even incorrect. 

Definition 5 (Atomic Relation — »£). Let C = (Sc, Be, Rc) be a rewrite 
theory with ( Sc,Ec ) extending ( S,E ) and Rc a collection of atomic Sc-rules 
with different names. For a rule b : l => r if cond € Rc, the (parametric) 

p 

relation — with parameter r £ Ta C} ctx, denotes the set of pairs (A;B) in 
Ts c ,Ctx x Ts c ,Ctx such that there is a ground substitution 9 : Tz c (X) — > Te c 

satisfying condO, A = 19, and B = r9 in C , where any expression is evaluated in 

r 

r. The atomic relation — >£ is the indexed set rcT Sc cta,,\>eRc- 

In Definition 5, A, B , and r are ground terms of sort Ctx. Furthermore, the term 
B is a variant of A in which some expressions and attributes have been modified. 
In particular, A and B have the same number of elements with the same element 
and attribute identifiers. This means that the atomic relation does not delete 
or create elements or attributes in A. This restriction simplifies the technical 
development of ( S,E,R ). In any case, creation and deletion of elements and 
attributes can be encoded by using additional attributes. Also observe that, due 
to the syntactical restrictions of atomic rules in Definition 4, equational sentences 
CO, A = 19 , and B = rO can be checked in ( Sc,Ec ) because they are equational 
expressions that, although may depend on context T, do not depend on Re- 
in general, the atomic relation — ■>£ and the rewrite relation =>£ induced by 
the rewrite theory C do not coincide for ground context terms. In particular, — >£ 
is defined as the top-most application of the atomic rules, while =>£ is defined 
as the congruence closure of those rules. 


r 

The Priority -<c- For a given context T, the elements in — *c can be regarded 

p 

as tuples of the form ( A , B , c, m)p as a shorthand for A —> c ~ m B, with c-m £ Rc- 
The set ^£= {^c(r)}r&T Sc C tx i s defined automatically by the infrastructure: 

(A' , B' , c' ,m')r ^c(r) (A, B, c,m)r = A C r A A’ C r A c= c’ Am < m ! , 
where < is the usual order on natural numbers. 

Lemma 1. The indexed set <c is a priority for —Re- 
proof. It is enough to prove that -<c(r) is a strict partial order, for any r £ 
TecXHx- Irreflexivity of -<c(r) follows from the irreflexivity of <. Transitivity of 



-<c(r) follows from the fact that if {A" , B" , c", m") r ~<c(r) (-A 7 , S', c', to') r and 
(A' ,B' ,d ,m!)r ~^c(r) ( A,B,c,m)r , then A" Q T, A C r, c" = c' = c, and 
m < to' < to". Therefore, (A" , B" ,c" ,m")r ~<c(r) (A,B,c,m)r- □ 

The priority -<£ is an indexed collection of strict partial orders. In particular, 
for each r €Ts Ct ctxi priority -<c{r) compares two elements of — >£ if they are 
computed with the same context and they originate from atomic foe-rules having 
the same component. It assigns a higher priority to elements with smaller rank. 

Rewrite theory ( S , E, R) includes a function max-strat that computes the 
r 

-^-maximal — >£-strategy, where T £ T^ Ct ctx is the parameter of the relation 
— >£. That function implements Algorithm 1 of Section 2. It takes as input the 
language C and ground context r and returns the collection s(T), where s is 
the -<£-maximal — >£-strategy. The function max-strat is implemented in Maude 
using the meta-level capabilities of the system. Henceforth, the strategy s will 
denote the ^-maximal — >£-strategy as computed by max-strat. 

3.3 Simulation of — > s c 

The set of fo-rules R of the order-sorted rewrite theory (fo 1 , E, R) includes only 
One rule: for l , r £ X Ctx , T £ A Transition? and S £ X transitions et 

sync : {/} => {r} if T, S := max-strat{C, l) 

A r := update(l,T). 

This rule, along with the rules Rc provided by the user, implements the se- 
rialization algorithm defined in [11], which has been adapted to the notion 
of maximal strategy presented in this paper. Sort Transition denotes sets of 
pairs in Tz c (X)ctx and sort TransitionSet denotes collections of transitions. 
Function update takes as inputs a ground context A and a ground transition 
term C = {{A\ ; Hi), ..., (A n ; B n )}, and computes the ground context B = 

\ Ul<j<n -^*) U Ul<i<n 

It is noted that the rule sync acts on contexts that are syntactically wrapped 
by curly brackets, that is, terms of the form {A} with A a ground context term. 
Those terms are of sort SState. The curly brackets operator prevents its context 
A to be directly rewritten by the user defined atomic rules in i?£. The actual 
application of those rules is done by the function update. 

Rule sync is nondeterministic because a ground substitution for l matching its 
condition depends on the choice of T, i.e., on all possible transitions computed 
by max-strat. However, there will be exactly one rewrite with sync for each 
transition. 

Theorem 2. Let C = (fofo, Ec, Rc) be an extension of ( E,E,R ). For A, B £ 
Ts c ,ctx, the following equivalence holds: 

Ch{A}=>{B} = A — >£ B, 

where s denotes the -<c~nriaximal — > £- strategy as computed by max-strat. 


9 



Proof. The key observation is that because max-strat computes the ^-maximal 
— >£-strategy s, the following equivalence holds: 

C £ s(A) = f3C £ , Transitions , C Ec IJiaX-stratfE, Ai) . 

(=>) Since {A} can be rewritten only by rule sync £ R , there is a ground 
substitution 9 : X — ► T^ c satisfying A=e c 19 , B =e c rO, T9, S9 =e c 
max-strat{C , 19), and t9=e c update(l9,T9). By the observation above, T9 £ 
s(A). Then, from the definition of update, it follows that A — >£ B. 

(<=) If A —> s c B, there is C = {{A\ -,B\),..., (A n ; B n )} £ s(A) such that B = 
(A \ Ui<j<n A-i) U Ui<j< n Bi- By the observation above and the definition of 
update, there is C' £ T^ Transitions et such that C,C =e c max-strat(C, A) 
and B =e c update(A, C). Then substitution 9 satisfying A =e c 19 witnesses 
C\~{A}^{B}. 

□ 

One key advantage of this approach is that, while it offers support for the 
execution of a synchronous relation — >£, it does that by simulating — using the 
standard asynchronous semantics of Maude. Therefore, all commands available 
in Maude for executing and verifying rewrite relations are directly available for 
— >£. Sections 4 and 5 illustrate these features with practical examples. 

4 Executable Semantics of a Simple Synchronous 
Language 

Module SMAUDE implements in Maude the rewrite theory (S, E, R) presented 
in Section 3. This section illustrates the use of SMAUDE by giving the small-step 
semantics of a simple synchronous language with arithmetic expressions. 

Consider a language that consists of two kinds of elements: memory elements 
Mem(m, v) and assignment elements l:=e, where m.,l denote memory names, v 
denotes a numerical value, and e denotes an arithmetic expression. Arithmetic 
expressions are recursively formed using memory names, numerical values, and 
expressions of the form e\ + e-i, where ei and e 2 are arithmetic expressions. In 
this case, set T consists of all elements having the form Mem(?n,u) or m:=v. 

The small-step semantics of the language requires the definition of an evalu- 
ation function eval that takes as inputs a context T, which is a set of elements 
T , and an arithmetic expression e. It is inductively defined on expressions: 


{ v if e is the numerical value v, 

v if e is the memory name m and Mem(m, v) £ T, 

v\ + V 2 if e has the form ei + e 2 , Vi = eval(U, a) for i £ {1, 2}. 

The (parametric) atomic relation — > of the language is defined for a context 
T by A B if and only if A C T, A = {Mem(TO, v), l'.=e}, B = {Mem(m, u), l:=e}, 
and u = eval{A,e), for some memory name in, values v and u, and expression 
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r s 

e. The semantic relation of the language is the relation — > , where s is the 
/ 

maximal — ^-strategy, r is a ground context, and -< is the empty priority. 
Example 4- Let r = {Mem(a;, 3), Mem(y, 4), x:=y, y:=x}. Then: 

r s 

Mem(x, 3), Mem(y, 4), x:=y, y:=x — > Mem(a;, 4), Mem(y, 3), j/:=a;. 

This language is specified by the Maude module SIMPLE, which includes system 
module SMAUDE: 


a : Nat —> Eid 

body 

— > Aid 

Nat < Val 

x : — > Eid 

mem 

— > Aid 

+ : Expr x Expr — > Expr Memory ele 

y : — > Eid 

to : 

— > Aid 



ments use constructors x and y for element identifiers and have attribute mem. 
as their only attribute. Assignment elements use constructors a for element iden- 
tifiers and have attributes body and to as their only attributes. In the syntax of 
SIMPLE, memory element Mem(x, v) and an assignment element x:=e are rep- 
resented, for instance, by elements (x \ mem : v) and (a(l) | to : x, body : e), 
respectively. Built-in natural numbers are values of the language. Evaluation of 
expressions is given equationally following the definition of eval. 

Atomic rule r-1 specifies the atomic relation of the language: 

r - 1 : (I | mem:N)(J \ body :E, to: I) => (I \ mem:eval(E)). 

The specification of atomic rules is slightly different to the usual specification 
of rules in rewriting logic. First, in the lefthand side of an atomic rule, it is 
sufficient to only mention the attributes involved in the atomic transition. In 
this case, SMAUDE will complete each lefthand side term by automatically 
adding a variable of sort Map , unique for each element, before any matching is 
performed. Second, in the righthand side of an atomic rule, it is sufficient to 
only mention the elements and the attributes that can change in the atomic 
step. In this case, SMAUDE updates in the current state only the attributes 
of the elements occurring in the righthand side of the rule, while keeping the 
other ones intact. So, in atomic rule r-1, the only attribute that can change is 
attribute mem of the memory element. Note also that in the righthand side of 
r-1 a unary version of function eval, without mention to any particular context, 
is used; SMAUDE will automatically extend it to its binary counterpart, for the 
given context, when computing function max-strat. 

The context r in Example 4, written in the syntax of SIMPLE, is 

(x | mem:3)(y | mem:4)(a(l) | to:x,body:y)(a( 2) | to:y,body:x). 

Maude’s search command can be used to compute, for instance, the one-step 
synchronous semantic relation of the language in Example 4 from context T : 

Maude> search { Gamma } =>1 X : SState . 
search in SIMPLE : { Gamma } =>1 X: SState . 

Solution 1 (state 1) 

states: 2 rewrites : 514 in 53ms cpu (54ms real) (9655 rewrites/second) 

X: SState --> { < x / mem : 4 > < y / mem : 3 > 

< a (1) I body : y, to : x > < a (2) / body : x, to : y > } 

No more solutions . 
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5 Verification of Synchronous Relations 


This section illustrates the use of Maude’s LTL Model Checker for the verification 
of properties of a synchronous relation. 

Consider a system of clocks keeping track of hours and minutes. Each clock 
is modeled in rewrite theory CLOCKS by two elements, one displaying hours 
and the other displaying minutes: 

h : Nat — > Eid hour : — > Aid min : Nat — > Expr 

m : Nat — > Eid min : — * Aid Nat < Val 


Hour elements use constructor h for element identifiers and have attribute hour 
as its single attribute. Minute elements use constructor m for element identifiers 
and have attribute min as its single attribute. Natural numbers are used as values 
for the attributes. The n-th clock is represented by the hour element with element 
identifier h(n) and the minute element with element identifier m(n). Attribute 
min of a minute element m(n) can be accessed by evaluating expression min(n). 
A clock displaying 9:15, written in the syntax of CLOCKS , is 

(/i(l) | hour: 9) (m( 1) | min: 15). 

The following clock transitions are of interest: 

(i) if hour= 11 and min= 59, then set hour= 0 and min = 0; 

(ii) if hour <11 and min =59, then increment hour in one unit and set min = 0; 

(iii) if hour <11 and min< 59, then increment min in one unit. 

These transitions are intuitively coded via priorities in rewrite theory CLOCKS. 

The behavior of the system is modeled by defining a priority such that redexes 
of the form (i) have the highest priority and the ones of the form (iii) the lowest. 
The following are the atomic rules of CLOCKS, for C,M,N £ X^ at : 


cl 1 : {h(C) | hour: 11) 

(m(C) | min: 59) =*- 

cl - 2 : (h{C) | hour:N) => 


(, h(C ) | hour:0)(m(C ) | min: 0) 

if eval(min(C)) == 59 
then {h(C) \ hour:s(N )) 
else (h(C) \ hour:N) fi 


cl-3 : ( m(C ) | min:N) 


if N == 59 

then ( m(C ) | min: 0) 

else { m(C ) | min:s(N)} fi 


In CLOCKS, resetting a clock (i.e. , rule c/-l) has higher priority than exclusively 
increasing the hour (i.e., rule cl- 2) or the minute (i.e., rule cl- 3) of a clock. 
Rule cl- 1 uses matching for detecting when a clock needs to be reset. In the 
righthand side of rule cl- 2 the evaluation of expression min(C) will yield the 
minute value of clock C, freeing the lefthancl side of the rule from explicitly 
mentioning the minutes element. Because of this, rules cl- 2 and cl- 3 can never 
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overlap and therefore can be executed in parallel. As a final remark, observe that 
the priorities of the last two rules can be switched without altering the behavior 
of the system, since their lefthand sides can never overlap. 

Two temporal properties that the synchronous relation of CLOCKS must 
satisfy is that clocks are always synchronized and that each clock is reset infinitely 
often. These two properties are specified by propositions LI = {sync, reset}. 
Using the syntax of Maude’s LTL Model Checker and for variables C, C' , H, M £ 
X Nat and r G Xctxi the propositions II are defined in the equational theory 
CLOCKS-PREDS as follows: 


sync : Nat x Nat — > Prop reset : Nat — ► Prop SState < State 


{ r}\=sync(C,C') = 


{U} |= reset(C) = 


true if (h(C) \ hour:H){m(C) \ min:M ) C P 
A {h(C') | hour:H){m(C) \ min:M) C P, 
false otherwise. 

true if ( h(C ) | hour :0){m(C) \ min: 0} C P, 
false otherwise. 


The subsort declaration SState < State tells Maude’s LTL Model Checker 
that the semantics of propositions II (each with sort Prop provided by the 
model checker) is to be defined on sort SState. Two clocks are synchronized 
if their hour values and minute values are the same; otherwise they are not 
synchronized. A clock is reset if its hour and minute values are 0. 

Consider the following state init in the signature of CLOCKS 

{(/i(l) | hour : 0)(m(l) | min:0){h(2) \ hour:0){m(2) \ min: 0)}, 

with two clocks, both displaying 0:00. The two temporal properties aforemen- 
tioned that the synchronous relation of CLOCKS must satisfy, are formally spec- 
ified for state init as follows: 

£ clocks > init b Osync{ 1, 2), 

^clocks’ init b □Oreset(l) A E\()reset(2) , 

where L-clocks = (T s /E^sstate,^ clocks, L n ) is the Kripke structure associ- 
ated to the initial reachability model Lclocks > with topsort SState, and predi- 
cates II (see [4] for details on how Kq LOGKS is associated to Lclocks)- 

First observe that the set of clock states reachable from init is finite and, 
therefore, each property specification problem is decidable. The first property 
specification asserts that clocks 1 and 2 are always synchronized, and the second 
property specification asserts that each clock is reset infinitely often. 

By using Maude’s LTL Model Checker, the following results are obtained: 

Maude> red mode ICheck (init , [] sync (1, 2) ) . 

reduce in CLOCKS-PREDS : mode ICheck (init , [ ] sync (1, 2)) . 

rewrites : 124946 in 6023ms cpu (6023ms real) (20744 rewrites/second) 

result Bool: true 

Maude> red mode ICheck (init , ([] <> reset (1)) /\ ([] <> reset (2))) . 

reduce in CLOCKS-PREDS : modelCheck (init, []<> reset (1) /\ []<> reset (2)) . 

rewrites : 125514 in 6810ms cpu (6812ms real) (18428 rewrites/second) 
result Bool: true 
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6 Conclusion 


Rewriting logic has been used previously as a test bed for specifying and animat- 
ing synchronous rewrite relations. M. AlTurki and J. Meseguer [1] have studied 
the rewriting logic semantics of the language Ore, which includes a synchronous 
reduction relation. T. Serbanuta et al. [13] and C. Chira et al. [3] define the 
execution of P-systems with structured data with continuations. The focus of 
the former is to use rewriting logic to study the (mainly) non-deterministic be- 
havior of Ore programs, while the focus of the latter is to study the relationship 
between P-systems and the existing continuation framework for enriching each 
with the strong features of the other. D. Lucanu [7] studies the problem of the 
interleaving semantics of concurrency in rewriting logic for synchronous systems 
from the perspective of P-systems. More recently, T. Serbanuta [12] advances 
the rewriting-based framework K with resource sharing semantics that enables 
some kind of synchronous rewriting. J. Meseguer and P. Olveczky [9] present 
a formal specification of the physically asynchronous logically synchronous ar- 
chitectural pattern as a formal model transformation that maps a synchronous 
design, together with performance bounds on the underlying infrastructure, to a 
formal distributed real-time specification that is semantically equivalent to the 
synchronous design. 

The work presented in this paper is closely related to those works in that it 
presents techniques for specifying and executing synchronous rewrite relations. 
However, the work presented here is a first milestone towards the development of 
symbolic techniques for the analysis of synchronous set relations. In particular, 
the authors strongly believe that the infrastructure presented in Section 3 can 
be extended with rewriting and narrowing based techniques, in the style of [10], 
to obtain a deductive approach for verifying symbolic safety properties, such as 
invariance or race conditions, of synchronous set relations. Another feature that 
distinguishes this work from related work is the idea of priorities as an instrument 
to control nondeterminism of synchronous relations. Of course, in some cases 
priorities can be encoded in the condition of rewrite rules, but the treatment 
here seems more convenient and simpler for the end-user. One interesting exercise 
would be to study how best to implement this feature in the framework K and 
for real-time specifications in rewriting logic. 

The contribution of this paper to rewriting logic research is the implementa- 
tion of general synchronous set relations via asynchronous set rewrite systems. 
This work extends previous work reported in [11] by giving an on-the-fly im- 
plementation of the serialization procedure for rewrite theories that supports 
execution and verification of more general synchronous set relations. The frame- 
work exploits rewriting logic’s reflective capabilities, and its implementation in 
Maude, to soundly and completely simulate the synchronous relation associated 
to an atomic relation and a maximal strategy specified by atomic rules. This 
work also generalizes the concept of priority, so that more general synchronous 
set relations are supported both theoretically and in the Maude infrastructure. 
A priority, as treated in this work, allows for nondeterministic synchronous re- 
lations even when the atomic relation is deterministic. In [11], the only possible 
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nondeterminism in a synchronous relations arises from its atomic relation. A 
direct benefit to the user from using the infrastructure presented in this paper, 
is the wealth of Maude’s ground analysis tools for rewrite theories such as its 
rewrite and search commands, and its LTL Model Checker. 

Although the framework is illustrated with simple examples, it is currently 
being used to specify an executable semantics in Maude of the Plan Execu- 
tion Interchange Language (PLEXIL) [5], an open source synchronous language 
developed by NASA to support autonomous spacecraft operations. This spec- 
ification enables the application of formal verification techniques available in 
Maude, such as model-checking and reachability analysis, to PLEXIL programs. 

The Maude infrastructure presented in this work is a first prototype of the 
theoretical developments. Future work includes the development of a wider range 
of case studies stressing the infrastructure’s capabilities; it is also important 
to streamline the algorithms and data structures in the infrastructure. Future 
work in the area of deductive analysis will study symbolic reachability analysis 
techniques in rewriting logic for synchronous set relations. More specifically, 
adapting the rewriting and narrowing based techniques developed in [10], seems 
promising for the analysis of safety properties of synchronous set relations. 
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